Skip to main content

Crackmes: cli3nt’s mycrk

Language C
Linux x86/ELF


Difficulty: 1 - Very easy, for newbies
Platform: Unix/Linux, etc.
Language: C/C++


[Solving the Crackme]


As usual, we have to run the file first.



joset@kee:~/src/crackmes/mycrk$ ./mycrk
Type cd-key: eve
wrong!
joset@kee:~/src/crackmes/mycrk$

From this point we already know what the file needs, a correct key. I immediately disassembled the file without even bothering about its characteristics.



joset@kee:~/src/crackmes/mycrk$ objdump -d mycrk > temp.txt
joset@kee:~/src/crackmes/mycrk$ less temp.txt

The first trick, is to look for the disassembly of the main function. Here’s a portion of it.



...
 80483d4:       c7 45 fc 67 1e 01 00    movl   $0x11e67,0xfffffffc(%ebp)
 80483db:       c7 45 f8 70 12 5b 00    movl   $0x5b1270,0xfffffff8(%ebp)
 80483e2:       c7 45 f0 06 00 00 00    movl   $0x6,0xfffffff0(%ebp)
 80483e9:       83 ec 0c                sub    $0xc,%esp
 80483ec:       68 14 85 04 08          push   $0x8048514
 80483f1:       e8 ee fe ff ff          call   80482e4 <printf @plt>
 80483f6:       83 c4 10                add    $0x10,%esp
 80483f9:       83 ec 08                sub    $0x8,%esp
 80483fc:       8d 45 f4                lea    0xfffffff4(%ebp),%eax
 80483ff:       50                      push   %eax
 8048400:       68 22 85 04 08          push   $0x8048522
 8048405:       e8 ba fe ff ff          call   80482c4 <scanf @plt>
 804840a:       83 c4 10                add    $0x10,%esp
 804840d:       8b 45 f8                mov    0xfffffff8(%ebp),%eax
 8048410:       3b 45 f4                cmp    0xfffffff4(%ebp),%eax
 8048413:       75 1d                   jne    8048432 <main +0x6e>
 8048415:       8b 55 f0                mov    0xfffffff0(%ebp),%edx
 8048418:       8d 45 fc                lea    0xfffffffc(%ebp),%eax
 804841b:       31 10                   xor    %edx,(%eax)
 804841d:       83 ec 08                sub    $0x8,%esp


I am not going to provide a detailed information about this. Let’s observe the line there with a cmp, since lines with cmps usually attract crackers’ eyes at a first glance. ;) It is very obvious that a value is being compared with the content of the eax register and is obtained through a buffered input because the line is preceded with a call 80482c4 <scanf @plt>. How do we get the value of the eax register? Getting the idea? Of course, we will use gdb by setting a breakpoint where the line resides and displaying the value being held by the eax register.



joset@kee:~/src/crackmes/mycrk$ gdb ./mycrk
...
(gdb) b *0x8048410
Breakpoint 1 at 0x8048410
(gdb) r
Starting program: /home/joset/src/crackmes/mycrk/mycrk
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
Type cd-key: eve
	
Breakpoint 1, 0x08048410 in main ()
(gdb) print $eax
$1 = 5968496
(gdb)

Looking back, we can see that it would jump to 8048432 <main +0x6e> if the values didn’t satisfy each other. Let’s see what it does from there.



...
 8048432:       83 ec 0c                sub    $0xc,%esp
 8048435:       68 29 85 04 08          push   $0x8048529
 804843a:       e8 a5 fe ff ff          call   80482e4 <printf @plt>
 804843f:       83 c4 10                add    $0x10,%esp
 8048442:       b8 00 00 00 00          mov    $0x0,%eax
 8048447:       c9                      leave
 8048448:       c3                      ret
...

There’s the presence of a call 80482e4 <printf @plt>. We can come up with an assumption that it is the notification being printed if an invalid key is entered. :) Therefore the key is the value being held by the eax register awhile ago. Let’s try it.



joset@kee:~/src/crackmes/mycrk$ ./mycrk
Type cd-key: 5968496
73313
joset@kee:~/src/crackmes/mycrk$

Done.

Labels:

Comments

Post a Comment

Popular posts from this blog

Architecture Complexity

Here are the items to consider: Coding to an interface Service Oriented Architecture Automated Testing Domain Driven Design Custom Data Access Layer Layered architecture Complexity is relatively equal the number of lines of code. Note that complexity is not bad. It must be justified.
Post a Comment
Read more

Repair Windows 7 System Files

8 out of 10 average PC users have their box’s system files altered by malwares, viruses, etc. We usually reinstall the OS if the antivirus and anti malware software did not perform their job well. Here’s one way to fix the corrupted system files without the need of restarting your Windows 7 box. 1. Run the Command Prompt as Administrator 2. Type the following command C:\Windows\system32\> sfc /scannow 3. After the verification phase, you will receive a message about your system files’ integrity Windows Resource Protection did not find any integrity violations.
Post a Comment
Read more

Android Studio:Unknown Host Error

After installing Android Studio, I got the following error: Unknown host 'services.gradle.org'. Please ensure the host name is correct. If you are behind an HTTP proxy, please configure the proxy settings either in Android Studio or Gradle. Consult IDE log for more details (Help | Show Log) Solution File --> Settings --> HTTP Proxy --> Auto-detect proxy settings
Post a Comment
Read more